CA Mainframe Software Manager r3 - Error: An error occurred trying to connect to Support Online.

Products

Compress Data Compression for MVS Compress Data Compression for Fujitsu Datacom DATACOM - AD Mainframe Software Manager (Chorus Software Manager) MICS Resource Management CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware

Issue/Introduction

Description:

Under certain environments it is possible to experience the following problem in the CA Mainframe Software Manager UI when attempting an action from the Software Catalog that tries to access CA Support Online (CA SO).

 
 Error: An error occured trying to connect to CA Support Online.
 java.net.SocketException: java.security.NoSuchAlgorithmException: SSLContext
 Default implementation not found:

When viewing the CA Mainframe Software Manager tomcat log you will see a message like:

DEBUG .....  (ConsumeSC.java:106): IO Error was detected during PAS processing. ... 
java.security. NoSuchAlgorithmException: SSLContext Default implementation not found:

Solution:

This error is related to the java runtime security for SSL connections.

In the CA Mainframe Software Manager runtime data set SAMPLIB(MSMLIB), note the USS path specified for "export JAVA_HOME=".
Using this as the parent directory, locate the lib/security subdiretory in USS. There is a java.security file with a section header "List of providers and their preference orders (see above).". This section should closely resemble these entries:

 
security.provider.1=com.ibm.jsse2.IBMJSSEProvider2
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.security.jgss.IBMJGSSProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.security.sasl.IBMSASL
security.provider.6=com.ibm.xml.crypto.IBMXMLCryptoProvider
security.provider.7=com.ibm.xml.enc.IBMXMLEncProvider
security.provider.8=org.apache.harmony.security.provider.PolicyProvider
security.provider.9=com.ibm.security.jgss.mech.spnego.IBMSPNEGO

If you notice an entry that is similar to the following:

security.provider.1=com.ibm.crypto.hdwrCCA.provider.IBMJCECCA

then you may have implemented a hardware ICSF keystore as the default keystore for the java runtime.

If you want to determine if this is the case, edit the MSMLIB member to add an option which dumps keystore information:

-Djavax.net.debug=true

After restarting the CA Mainframe Software Manager Tomcat server, look for an output line like:

keyStore type is: jks

"jks" is the default keystore with which CA Mainframe Software Manager will successfully establish http SSL connections.

If you see a keyStore.type=jceccaks, that is indicative of a hardware ICSF keystore and most likely the root cause of the exception logged in CA Mainframe Software Manager.

The jceccaks keystore type may have been implemented with IBM EKM tape encryption.

To change the default keyStore back to "jks", please consult your z/OS system programmer.

Additional references:

 ftp://public.dhe.ibm.com/s390/java/jsse/JSSEzOSRefGuide.html
 http://www-03.ibm.com/systems/z/os/zos/tools/java/faq/javasecurityfaq.html
 http://www.redbooks.ibm.com/redbooks/pdfs/sg247610.pdf

Environment

Release:
Component: MSM